b'January 12, 2011\n\nDEBORAH J. JUDY\nDIRECTOR, INFORMATION TECHNOLOGY OPERATIONS\n\nGREGORY D. LARRABEE\nMANAGER, RALEIGH INFORMATION TECHNOLOGY SERVICE CENTER\n\nSUBJECT: Audit Report \xe2\x80\x93 Fiscal Year 2010 Selected Information Technology General\n         Controls (Report Number IT-AR-11-002)\n\nThis report presents the results of our audit of Information Technology (IT) general\ncontrols (Project Number 10RD001IT000). We conducted this audit in support of the\nindependent public accounting (IPA) firm\xe2\x80\x99s overall audit opinions on the U.S. Postal\nService\xe2\x80\x99s financial statements and internal controls over financial reporting.1 Our\nobjective was to evaluate and test infrastructure level internal controls over the\ninformation systems at the Postal Service Information Technology and Accounting\nService Centers (IT/ASCs) and the             Information Technology Service Center\n(ITSC). This report summarizes the results of the nine IT process areas2 we tested. This\naudit addresses financial risk. See Appendix A for additional information about this\naudit.\n\nThe Postal Reorganization Act of 1970, as amended, requires annual audits of the\nPostal Service\xe2\x80\x99s financial statements. Also, the U.S. Congress enacted Sarbanes-Oxley\n(SOX) legislation in calendar year 2002 to strengthen public confidence in the accuracy\nand reliability of financial reporting. Section 404 of SOX requires management to state\nits responsibility for establishing and maintaining an adequate internal control structure\nand make an assertion on the effectiveness of the internal control structure over\nfinancial reporting. The Postal Accountability and Enhancement Act of 2006 requires the\nPostal Service to comply with Section 404 of SOX beginning in fiscal year (FY) 2010.\nThe Board of Governors contracted with the IPA to express an opinion on the Postal\nService\xe2\x80\x99s financial statements. Beginning in FY 2010, that responsibility was expanded\nto include an opinion on the Postal Service\xe2\x80\x99s internal control over financial reporting.\n\n\n\n\n1\n  The IPA maintains overall responsibility for testing and review of all IT controls. The U.S. Postal Service Office of\nInspector General (OIG) coordinated audit work with the IPA to ensure adequate coverage.\n2\n  See Appendix A for additional information about the IT process areas reviewed.\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                        IT-AR-11-002\n\n\n\nConclusion\n\nInfrastructure level internal controls in the areas we tested were properly designed and\noperating effectively. However, by strengthening controls over database and server\nsecurity settings, management can reduce the risk of a compromise that could\nnegatively affect the confidentiality, integrity, and availability of information resources\nand data.\n\nOracle Database Configuration Settings\n\nManagement did not properly configure security settings on Oracle databases.\nSpecifically,\n\n\n                                                                   This occurred,\nbecause the database administrator did not thoroughly review configuration settings on\nthese databases after installing upgrades or a new operating system.\n\nProperly configured accounts and profiles prevent unauthorized users from gaining\naccess to sensitive information resources and making unauthorized changes to data or\nprograms. The Database Support Services group corrected these issues during the\ncourse of our review; therefore, we are not making any recommendations regarding\ncorrective actions. See Appendix B for a detailed analysis of this topic.\n\nThe data in                          we reviewed are potentially at risk, which affects\ninformation technology. We quantified the costs associated with this risk, using a single\ndatabase supporting the                                   at approximately\n       See Appendix C for our calculation of data at risk\n\nWindows Server Management\n\nSecurity settings on Windows servers were not in compliance with Postal Service\npolicy.6 While performing our review of Windows servers, we identified non-\ncompliant:\n\n    \xef\x82\xa7\n    \xef\x82\xa7                                                             .\n    \xef\x82\xa7\n\n3\n\n\n\n\n  Computer software, networks, and data that are vulnerable or at risk of loss because of fraud, inappropriate, or\nunauthorized disclosure of sensitive data, or disruption of critical Postal Service operations and services.\n6\n  Handbook AS-805, Information Security, Section 9-6.1.12,                                dated February 2010.\n\n\n\n\n                                                           2\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                   IT-AR-11-002\n\n\n\nThe                                                 occurred, because administrators\nsupporting servers were not always notified when Information Technology Engineering\n                                                            7\nand Architecture updated the                                  Further, although\nmanagement performs periodic reviews of Windows software and settings, they did not\ncorrect the discrepancies identified during their reviews. As a result,\n\n\nThe                                            occurred, because configurations o\n            were not centrally managed, for example, by using Active Directory.8\n\nProperly configuring accounts reduces the risk of unauthorized users gaining access to\nsensitive information resources and making unauthorized changes to data or programs.\nManagement corrected these discrepancies on the servers we reviewed; however,\nthese conditions could exist on other Windows servers we did not review.9 See\nAppendix B for our detailed analysis of this topic.\n\nWe recommend the director, Information Technology Operations, direct the manager,\n       Information Technology Service Center, to:\n\n1. Develop a procedure to notify administrators supporting Windows servers when\n                       are available.\n\n2. Correct discrepancies identified by the periodic reviews of all Windows servers, as\n    appropriate.\n\n3. Develop a methodology to centrally manage all\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with our recommendations. However, management stated they\ncould not validate the accuracy of the information in Appendix C (Other Impacts) and\nbelieve the estimated potential cost to the Postal Service reported for data at risk\nreflects a worst case scenario.\n\nIn response to recommendation 1, management stated that all GPO implementations\nare submitted and approved through the change request process. They will implement\nan additional notification process with groups responsible for administration of GPOs on\nthe Windows servers. Target completion date is March 31, 2011.\n\n\n\n7\n8\n  A directory service that provides the means to manage the identities and relationships that make up network\nenvironments.\n9\n  Where we limited our review to 22 Windows servers, there are approximately 300 Windows servers that support the\nin-scope SOX applications that could also be vulnerable to these conditions.\n\n\n\n\n                                                        3\n\x0cFiscal Year 2010 Selected Information Technology General Controls             IT-AR-11-002\n\n\n\nIn response to recommendation 2, management will conduct periodic reviews of\nWindows baseline configurations in February and August of each year. Within 30 days\nof the review completion, management will produce an action plan that identifies each\ndiscrepancy and the group assigned to correct the problem. The results will be posted in\nthe SOX artifact library. In addition, management will review the baseline standard build\nannually. Target completion date is September 30, 2011.\n\nTo address recommendation 3, management updated Handbook AS-805 to prohibit\nlocal accounts listing exceptions of built-in accounts and accounts required by\ncommercial-off-the-shelf applications approved in eAccess. The identification and\napproval of local accounts will be part of the semiannual review process. Target\ncompletion date is September 30, 2011. See Appendix E for management\xe2\x80\x99s comments,\nin their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations and the actions taken should correct the\nissues identified in the report. Additionally, we do not believe our other impacts\nrepresent a worst case scenario; rather, they represent a historical industry average of\nthe cost associated with the disclosure of personally identifiable information.\n\nThe OIG considers all of the recommendations significant and, therefore, requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\n\n\n\n                                                   4\n\x0cFiscal Year 2010 Selected Information Technology General Controls   IT-AR-11-002\n\n\n\ncc: Ellis A. Burgoyne\n    Joseph Corbett\n    Vincent H. Devito\n    Harold E. Stark\n    Charles L. McGann, Jr.\n    Corporate Audit and Response Management\n\n\n\n\n                                                   5\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                     IT-AR-11-002\n\n\n\n                            APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe Postal Service SOX and Process Improvement office established the IT SOX\nCompliance Management Office (CMO) to manage the annual documentation, testing,\nremediation, reporting, and certification requirements to meet and maintain IT SOX\ncompliance. The IT SOX CMO is responsible for developing and implementing internal\nIT SOX master controls,10 both general computer and application-specific controls.\n\nThe                                 and               IT/ASCs provide computer\nprocessing and accounting services for the Postal Service. The                  ITSC\nprovides infrastructure services for approximately         Postal Service locations. Each\nsite includes multiple service organizations that deploy and support systems and\napplications; provide accounting and finance activities; and perform application\ndevelopment, enhancement, and maintenance of systems that enable the Postal\nService to achieve its business objectives. As of June 2010, these organizations\nsupport     financial11 applications and   IT-related applications or infrastructure\ncomponents.12\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to evaluate and test infrastructure level internal controls over the\ninformation systems at the Postal Service IT/ASCs and other related IT organizations.\nSpecifically, we reviewed IT master controls designed to mitigate risks associated with\n     IT process areas that support in-scope financial applications.13\n\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n     \xef\x82\xa7\n\n10\n   A uniquely named control designed to mitigate risk associated with the infrastructure (for example, database,\noperating system, and so forth.) supporting in-scope financial applications. Master controls are either general in\nnature (for example, addressing Active Directory security parameters) or application unique (for example, tailored\nspecifically for the                                               .\n11\n   The IT SOX CMO considers these significant business applications supporting an in-scope business process.\n12\n   The IT SOX CMO determined that these IT systems have a comprehensive impact on the IT control environment\nor are relied on by in-scope applications for coverage of controls.\n13\n   SOX in-scope applications include financial applications supporting in-scope business processes and IT\napplications that have a pervasive impact on the IT control environment.\n14\n   An\n\n\n\n\n                                                         6\n\x0cFiscal Year 2010 Selected Information Technology General Controls                         IT-AR-11-002\n\n\n\nThe IT SOX CMO identified      master controls to cover the IT process areas we\nreviewed. See Tables 2 and 3 in Appendix D for a detailed list of master controls we\nreviewed for each IT process area.\n\nTo accomplish our objective, we interviewed administrators, observed key processes\nand procedures, and reviewed applicable Postal Service policies. We selected samples\nof SOX in-scope applications, servers, and SOX-related notifications for detailed control\ntesting and analysis. We performed all system queries in a controlled environment with\nmanagement\xe2\x80\x99s full knowledge and approval. We conducted our audit at the\n            and           IT/ASCs and the          ITSC.\n\nWe conducted this performance audit from October 2009 through January 2011 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with management on December 3, 2010, and included their comments\nwhere appropriate.\n\nWe assessed the reliability of computer-generated data by reviewing configuration files\nobtained from the audited systems and interviewing appropriate managers who were\nknowledgeable about the data. We also reviewed existing information about the data\nand the operating systems/platforms that produced the data. We determined that the\ndata were sufficiently reliable for the purposes of this report.\n\nPRIOR AUDIT COVERAGE\n                                      Final\n    Report          Report           Report\n     Title          Number            Date Report                        Results\n Fiscal Year      IS-AR-10-005     3/31/2010      Overall, general computer controls were in\n 2009                                             place and working effectively. However, we\n Information                                      identified issues in the following areas in four\n Systems                                          interim audit reports: semiannual building key\n General                                          surveys and reviews of identification badge\n Controls                                         access control lists; UNIX time-out sessions\n Capping                                          and unnecessary system and network\n Report                                           services; network component management\n                                                  and monitoring, authentication protocols, and\n                                                  data encryption transmissions; and\n                                                  maintaining Windows Active Directory objects\n                                                  and domain controllers not meeting security\n                                                  standards. This capping report contained no\n                                                  additional recommendations, as the issues\n\n\n\n\n                                                   7\n\x0cFiscal Year 2010 Selected Information Technology General Controls                       IT-AR-11-002\n\n\n\n                                                  were addressed in separate audit reports\n                                                  issued to management.\n Fiscal Year      IS-AR-09-005     3/19/2009      Overall, general computer controls were in\n 2008                                             place and working effectively. However, four\n Information                                      interim audit reports addressed additional\n Systems                                          controls and actions needed in the areas of\n General                                          UNIX script monitoring, groups management,\n Controls                                         audit configurations, and log monitoring;\n Capping                                          Oracle default profiles; security clearance\n Report                                           processing; periodic application risk\n                                                  assessments; off-site storage of UNIX tapes;\n                                                  and facility recovery plan updates. This\n                                                  capping report contained no additional\n                                                  recommendations, as the issues were\n                                                  addressed in separate audit reports issued to\n                                                  management.\n Fiscal Year      IS-AR-08-007     3/11/2008      Overall, general computer controls were in\n 2007                                             place and working effectively. However, five\n Information                                      interim audit reports addressed additional\n Systems                                          controls and actions needed in the areas of\n General                                          Oracle database security settings, Windows\n Controls                                         password settings, classification of\n Capping                                          employees in sensitive positions, application\n Report                                           recovery testing, and key inventory\n                                                  management. This capping report contained\n                                                  no additional recommendations, as the\n                                                  issues were addressed in separate audit\n                                                  reports issued to management.\n\n\n\n\n                                                   8\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                IT-AR-11-002\n\n\n\n                               APPENDIX B: DETAILED ANALYSIS\n\nOracle Database Configuration Settings\n\nManagement did not properly configure security settings on Oracle databases.\nSpecifically, system accounts on  of the    databases supporting four in-scope\napplications still                       In addition, Oracle accounts assigned to the\n                         had the                             on one database.15\n\n\n\n\nPostal Service policy17 requires management to\n                                                                                      to the\nPostal Service network. Oracle database policy requires management to\n                                             after installation. Properly configuring\n                      reduces the risk of unauthorized users gaining access or making\nchanges to sensitive information, data or programs.\n\nWindows Server Management\n\nSecurity settings on Windows servers were not in compliance with Postal Service\npolicy.19 While performing our review of Windows servers, we identified non-\ncompliant:\n\n      \xef\x82\xa7\n      \xef\x82\xa7                                                        .\n      \xef\x82\xa7\n\n\n\n\n15\n     The                             database supporting the\n16\n\n\n\n\n   Handbook AS-805, Information Security, Sections 9-6.1.11,                           and 9-6.1.12\n               February 2010.\n   Security Hardening Standards Oracle Databases, Version 2.1, Section 5.8, Enable password management, dated\nSeptember 3, 2009.\n19\n   Handbook AS-805, Section 9-6.1.12,\n\n\n\n\n                                                      9\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                         IT-AR-11-002\n\n\n\nTable 1 shows the servers                                                           setting issues. We\nidentified these issues across                  servers;         of the          servers had a\n                                           .\n\n                  Table 1: Password and Account Lockout Settings Issues\n\n                                                                  Password          Account\n                  Number        Server Name/Application\n                                                                   Setting       Lockout Setting\n                      1\n                      2\n                      3\n                      4\n                      5\n                      6\n                      7\n                      8\n\nSystem administrators create domains and use Active Directory to manage security and\nobjects. The Postal Service has multiple domains such as USA production,\ndevelopment, secure enclaves, and demilitarized zones (DMZ).20 During our review, we\nfound that servers outside the       domain did not receive                , because\nadministrators supporting these servers were not always notified of the\nAdditionally, we found that servers inside the      domain did not receive\n         , because of software and configuration issues such as ports that were not\nopen. Unless                        are properly applied, management cannot ensure\nthe Windows servers are adequately secured to reduce the risk of unauthorized access\nto applications and data.\n\n                                                   on    of the    servers had not been updated.\nThe                                        is designed primarily for initial logon and configuration\nof a local computer. The\n                                  to avoid the potential for a computer security breach.\nPostal Service policy states\nconsidered sensitive (for example,              system supervisors, software\nspecialists, system administrators, or vendor-supplied) must be changed at least every\n30 days.\n\n\n\n\n20\n   Enclaves can be implemented to enforce separate security zones; DMZs are network segments in between\nintranets, extranets, and the Internet that provide increased security for data transfer between information resources,\nvendors, and the public.\n21\n                 is an infrastructure that allows you to implement specific configurations for users and computers.\n                                                 which are linked to Active Directory service containers such as sites,\ndomains, or organizational units.\n22\n   Handbook AS-805, Section 9-6.1.12,\n\n\n\n\n                                                          10\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                        IT-AR-11-002\n\n\n\n                                    APPENDIX C: OTHER IMPACTS\n\n                                                   Data at Risk\n\nThe following presents an estimate of the potential costs the Postal Service could incur\nfrom the disclosure of personally identifiable information. We based the other impact of\n              on an estimate of           sensitive records stored in two database tables\ncontaining sensitive data elements related to the E-Facilities Management System. The\ncalculation assumes each record would contain at least one element of sensitive\ninformation.\n\n                                                                           Costs per Customer\n                          Cost Category                                Affected as Reported by the\n                                                                           Ponemon Institute23\n                      Detection and Escalation\n       Activities that enable a company to reasonably detect\n       breach of personal data either at high risk (in\n       storage) or in motion; activities necessary to report\n       the breach of protected information to appropriate\n       personnel within a specified period.\n                              Notification\n       Activities that enable a company to notify data\n       subjects with a letter, outbound telephone call, e-mail\n       or general notice that personal information was lost\n       or stolen.\n                          Ex-Post Response\n       Activities to help victims of a breach communicate\n       with the company to ask additional questions or\n       obtain recommendations to minimize potential\n       harms. Redress activities also include ex-post\n       responses such as a credit report monitoring or\n       reissuance of a new account (or credit card).\n       Total\n\n\n\n\n23\n  Ponemon Institute, LLC, Fifth Annual US Cost of Data Breach Study, dated January 2010.\n24\n  The Ponemon Institute study included a cost category for \xe2\x80\x9clost business\xe2\x80\x9d with a cost per customer of        per\nrecord. We have excluded this cost from our calculation, because we do not believe it is a fair representation of the\npotential cost the Postal Service could incur for this category.\n\n\n\n\n                                                          11\n\x0cFiscal Year 2010 Selected Information Technology General Controls                                       IT-AR-11-002\n\n\n\n                           APPENDIX D: TEST RESULTS AND DETAILS\n\nTable 2 shows the level of compliance for the                     Windows and Oracle SOX master\ncontrols we tested.\n\n                              Table 2: IT Master Controls Compliance\n\n                                    IT Master Controls Compliance\n                                               Windows                                      Oracle\nMaster                                                                                                  Percentage\n                                 Sample        Number       Percentage       Sample         Number\nControl     Master Control                                                                                  of\n                                  Size         Tested/      of Servers         Size         Tested/\nNumber                                                                                                  Databases\n                                (Servers)      Passed       Compliant      (Databases)      Passed\n                                                                                                        Compliant\n           Account\n    1\n           Suspension\n           Administrative\n    2      Password\n           Management\n           Configuration\n    3\n           Baseline\n           Default\n           Account\n    4\n           Password\n           Change\n           Separation of\n    5\n           Duties\n           Password\n    6      Parameter\n           Configuration\n           Password\n    7\n           Encryption\n           Patch\n    8\n           Management\n           Security Log\n    9      Monitor\n           Configuration\n           Testing\n   10\n           Documentation\n\n\n\n\n   The IT SOX CMO did not identify the Administrative Password Management master control for Windows operating\nsystems.\n26\n   We reviewed the results of a separate script for the separation of duties master control. There were      databases\nin the universe when we performed our review.\n27\n   Based on the number of control IDs rather than number of servers.\n28\n   We did not test Patch Management or Testing Documentation master controls, because management\nrecommended not applying the current patches, which they considered not critical enough to apply across all Oracle\ndatabases. Additionally, at the time of our testing, DBSS management had not determined an efficient process to\ninstall patches across the scope of all the in-scope Oracle databases. Patch installation requires each of the\ndatabases (      at the time of our testing) to be shut down.\n29\n   The IT SOX CMO did not identify the Security Log Monitor Configuration master control for Oracle databases.\n\n\n\n\n                                                          12\n\x0cFiscal Year 2010 Selected Information Technology General Controls               IT-AR-11-002\n\n\n\nTable 3 presents the master controls the IT SOX CMO identified for the seven\nremaining IT process areas we tested. The numbers in the table summarize the\nsampled number of items tested and the number of sampled items passed for each of\nthe master controls identified. The variation in the sample numbers is attributed to the\nsize of the universe, the assessed risk of the area, and consideration of whether\nexpanding the sample would likely conclude that an exception would be more likely.\n\n                 Table 3: IT Process Areas and Master Controls Tested\n\n                                             IT Process Areas Tested\n\n\n\n                   Master\n                  Controls\n                 Identified\n                for Testing\n                Account\n                Management\n                Responsibility\n                Account\n                Suspension\n                Administrative\n                Password\n                Management\n                Configuration\n                Baseline\n                Default Account\n                Password\n                Change\n                Inactivity\n                Timeout\n                Password\n                Encryption\n                Password\n                Parameter\n                Configuration\n                Patch\n                Management\n                Review\n                Security Logs\n                Security Log\n                Monitor\n                Configuration\n                Semi-Annual\n                Account\n                Review\n                Separation of\n                Duties\n                Shared\n                Manager\n                Account\n                Provisioning\n                Testing\n\n\n\n\n                                                   13\n\x0cFiscal Year 2010 Selected Information Technology General Controls      IT-AR-11-002\n\n\n\n                                             IT Process Areas Tested\n\n\n\n                   Master\n                  Controls\n                 Identified\n                for Testing\n                Documentation\n                UDS Managed\n                Account\n                Suspension\n                UDS Managed\n                Password\n                Parameter\n                UDS Managed\n                Password\n                Encryption\n                Network\n                Connection\n                Authorization\n                Firewall\n                Management\n                Network\n                Archive\n                Documentation\n                Virtual Private\n                Network\n                Access\n                Management\n\n\n\n\n                                                   14\n\x0cFiscal Year 2010 Selected Information Technology General Controls   IT-AR-11-002\n\n\n\n                        APPENDIX E: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                   15\n\x0cFiscal Year 2010 Selected Information Technology General Controls   IT-AR-11-002\n\n\n\n\n                                                   16\n\x0cFiscal Year 2010 Selected Information Technology General Controls   IT-AR-11-002\n\n\n\n\n                                                   17\n\x0c'